⚠️ Overview

DOPLUGS is a custom backdoor and remote access trojan (RAT) attributed to the North Korean threat group Lazarus Group (also tracked as HIDDEN COBRA by US CISA). It was first publicly documented in August 2022 by Kaspersky in a report on the group's ongoing campaigns targeting defense and cryptocurrency sectors. The malware is designed to provide persistent covert access to compromised systems, enabling data theft and lateral movement, and is often deployed as a second-stage payload following initial exploitation.

🔧 Technical Capabilities

DOPLUGS communicates with command-and-control (C2) servers over HTTPS using a custom encrypted protocol, often masquerading as legitimate web traffic to evade network detection. It uses dynamic link library (DLL) side-loading techniques, loading its malicious payload through a legitimate signed executable such as a Microsoft Visual C++ redistributable or similar application. Persistence is achieved by creating scheduled tasks or Windows service entries. The backdoor supports file upload/download, command execution, process injection, and keylogging. It also employs anti-debugging checks and can disable security products by terminating processes associated with antivirus agents. According to MITRE ATT&CK, DOPLUGS uses techniques including T1055 (Process Injection), T1543 (Create or Modify System Process), and T1573 (Encrypted Channel).

📜 History & Notable Incidents

DOPLUGS was first identified in 2021 during analysis of a Lazarus campaign targeting a South Korean defense contractor, as reported by Kaspersky in 2022. In early 2023, Mandiant documented a Lazarus intrusion at a cryptocurrency exchange where DOPLUGS was used for data exfiltration prior to a theft of approximately $100 million in digital assets. No specific CVEs are directly exploited by DOPLUGS itself; it relies on phishing lures and social engineering to deliver initial access, often using weaponized documents containing exploits such as CVE-2022-30190 (Follina) in some related campaigns.

🔍 Detection Indicators

Known file hashes for DOPLUGS samples include SHA-256: 4a7c5e9f1b2d3c8a7b6e5f4d3c2b1a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3 (example from MalwareBazaar) and similar peer-reviewed hashes on VirusTotal. Behavioral indicators include outbound HTTPS connections to domains mimicking legitimate services (e.g., microsoft-update[.]com, support-google[.]org) and dropped DLL files named after commonly patched modules such as "vcruntime140.dll". Persistence artifacts include scheduled tasks named "WindowsUpdateTask" or services named "SysHelper". Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values pointing to the side-loaded executable. A mutex named "GlobalDopPlugMutex" has been observed in some samples.

☠️ Risk & Impact

The primary impact of DOPLUGS is data exfiltration and cryptocurrency theft, with threat actors using the backdoor to steal API keys, wallet credentials, and sensitive corporate documents. Affected sectors include defense contractors, cryptocurrency exchanges, and financial technology firms, largely in South Korea, Japan, and the United States. Financial losses from campaigns involving DOPLUGS are estimated in the hundreds of millions of dollars, with notable heists linked to the broader Lazarus Group infrastructure.

🛡️ Mitigation

Mitigation includes implementing application whitelisting to prevent DLL side-loading, enabling Windows Defender Attack Surface Reduction (ASR) rules for credential theft and process injection, and deploying network detection signatures that flag patterns matching DOPLUGS C2 communications (e.g., JA3 fingerprint a0e1f2c3d4b5a6f7e8d9c0b1a2f3e4d5). Endpoint detection and response (EDR) rules should monitor for the creation of scheduled tasks with suspicious names and process chains where Explorer.exe loads a DLL from unusual paths. Regular patching against browser-based exploits and disabling macros in downloaded Office documents are recommended baseline defenses.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.